cve-2024-38599
Vulnerability from cvelistv5
Published
2024-06-19 13:45
Modified
2024-11-05 09:30
Severity ?
Summary
jffs2: prevent xattr node from overflowing the eraseblock
Impacted products
Vendor Product Version
Linux Linux Version: 2.6.18
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:12:25.930Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38599",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:13:27.704743Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:54.313Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2904e1d9b64f",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "526235dffcac",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "f0eea095ce8c",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "a1d21bcd78cf",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "f06969df2e40",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "af82d8d2179b",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "8d431391320c",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "978a12c91b38",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            },
            {
              "lessThan": "c6854e5a267c",
              "status": "affected",
              "version": "aa98d7cf59b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.18"
            },
            {
              "lessThan": "2.6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.316",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.278",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.219",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.161",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren\u0027t split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:30:39.190Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11"
        },
        {
          "url": "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098"
        },
        {
          "url": "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275"
        },
        {
          "url": "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913"
        }
      ],
      "title": "jffs2: prevent xattr node from overflowing the eraseblock",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-38599",
    "datePublished": "2024-06-19T13:45:47.968Z",
    "dateReserved": "2024-06-18T19:36:34.932Z",
    "dateUpdated": "2024-11-05T09:30:39.190Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38599\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-19T14:15:19.903\",\"lastModified\":\"2024-07-15T07:15:11.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\njffs2: prevent xattr node from overflowing the eraseblock\\n\\nAdd a check to make sure that the requested xattr node size is no larger\\nthan the eraseblock minus the cleanmarker.\\n\\nUnlike the usual inode nodes, the xattr nodes aren\u0027t split into parts\\nand spread across multiple eraseblocks, which means that a xattr node\\nmust not occupy more than one eraseblock. If the requested xattr value is\\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\\nthe nodes and causing errors such as:\\n\\njffs2: argh. node added in wrong place at 0x0000b050(2)\\njffs2: nextblock 0x0000a000, expected at 0000b00c\\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\\nread=0xfc892c93, calc=0x000000\\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\\nend of the erase block\\njffs2: Perhaps the file system was created with the wrong erase size?\\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\\nat 0x00000010: 0x1044 instead\\n\\nThis breaks the filesystem and can lead to KASAN crashes such as:\\n\\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\\nRead of size 4 at addr ffff88802c31e914 by task repro/830\\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0xc6/0x120\\n print_report+0xc4/0x620\\n ? __virt_addr_valid+0x308/0x5b0\\n kasan_report+0xc1/0xf0\\n ? jffs2_sum_add_kvec+0x125e/0x15d0\\n ? jffs2_sum_add_kvec+0x125e/0x15d0\\n jffs2_sum_add_kvec+0x125e/0x15d0\\n jffs2_flash_direct_writev+0xa8/0xd0\\n jffs2_flash_writev+0x9c9/0xef0\\n ? __x64_sys_setxattr+0xc4/0x160\\n ? do_syscall_64+0x69/0x140\\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n [...]\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: jffs2: evita que el nodo xattr desborde el bloque de borrado. Agregue una verificaci\u00f3n para asegurarse de que el tama\u00f1o del nodo xattr solicitado no sea mayor que el bloque de borrado menos el marcador de limpieza. A diferencia de los nodos de inodo habituales, los nodos xattr no se dividen en partes ni se distribuyen en m\u00faltiples bloques de borrado, lo que significa que un nodo xattr no debe ocupar m\u00e1s de un bloque de borrado. Si el valor xattr solicitado es demasiado grande, el nodo xattr puede extenderse al siguiente bloque de borrado, sobrescribiendo los nodos y provocando errores como: jffs2: argh. nodo agregado en un lugar incorrecto en 0x0000b050(2) jffs2: nextblock 0x0000a000, esperado en 0000b00c jffs2: error: (823) do_verify_xattr_datum: el CRC del nodo fall\u00f3 en 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: aviso: 823) jffs2_get_inode_nodes: Nodo El CRC del encabezado fall\u00f3 en 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: El nodo en 0x0000000c con longitud 0x00001044 se ejecutar\u00eda sobre el final del bloque de borrado jffs2: \u00bfQuiz\u00e1s el sistema de archivos se cre\u00f3 con un tama\u00f1o de borrado incorrecto? jffs2: jffs2_scan_eraseblock(): M\u00e1scara de bits m\u00e1gica 0x1985 no encontrada en 0x00000010: 0x1044 en su lugar. Esto rompe el sistema de archivos y puede provocar fallas de KASAN como: ERROR: KASAN: losa fuera de los l\u00edmites en jffs2_sum_add_kvec+0x125e/0x15d0 Lectura de tama\u00f1o 4 en addr ffff88802c31e914 por tarea repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 01/04/2014 Seguimiento de llamadas:  dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140? Entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.